Return-Path: <dev-return-7230-archive-asf-public=cust-asf.ponee.io@hawq.incubator.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id E8F3C200D27
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 11 Oct 2017 01:03:01 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id E79A7160BE4; Tue, 10 Oct 2017 23:03:01 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 40EA5160BE1
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 11 Oct 2017 01:03:01 +0200 (CEST)
Received: (qmail 37336 invoked by uid 500); 10 Oct 2017 23:03:00 -0000
Mailing-List: contact dev-help@hawq.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@hawq.incubator.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@hawq.incubator.apache.org>
List-Post: <mailto:dev@hawq.incubator.apache.org>
List-Id: <dev.hawq.incubator.apache.org>
Reply-To: dev@hawq.incubator.apache.org
Delivered-To: mailing list dev@hawq.incubator.apache.org
Received: (qmail 37311 invoked by uid 99); 10 Oct 2017 23:02:59 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Oct 2017 23:02:59 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 428EED9F44
	for <dev@hawq.apache.org>; Tue, 10 Oct 2017 23:02:59 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -4.021
X-Spam-Level: 
X-Spam-Status: No, score=-4.021 tagged_above=-999 required=6.31
	tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	RP_MATCHES_RCVD=-0.001] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id nZ1sLmcbXV42 for <dev@hawq.apache.org>;
	Tue, 10 Oct 2017 23:02:58 +0000 (UTC)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with SMTP id 559245F3FE
	for <dev@hawq.incubator.apache.org>; Tue, 10 Oct 2017 23:02:58 +0000 (UTC)
Received: (qmail 36976 invoked by uid 99); 10 Oct 2017 23:02:57 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Oct 2017 23:02:57 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id B289CF5AFE; Tue, 10 Oct 2017 23:02:54 +0000 (UTC)
From: dyozie <git@git.apache.org>
To: dev@hawq.incubator.apache.org
Reply-To: dev@hawq.incubator.apache.org
References: <git-pr-131-incubator-hawq-docs@git.apache.org>
In-Reply-To: <git-pr-131-incubator-hawq-docs@git.apache.org>
Subject: [GitHub] incubator-hawq-docs pull request #131: Document extending KDC ticket interva...
Content-Type: text/plain
Message-Id: <20171010230255.B289CF5AFE@git1-us-west.apache.org>
Date: Tue, 10 Oct 2017 23:02:54 +0000 (UTC)
archived-at: Tue, 10 Oct 2017 23:03:02 -0000

Github user dyozie commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/131#discussion_r143874810
  
    --- Diff: markdown/clientaccess/kerberos.html.md.erb ---
    @@ -515,6 +516,53 @@ Valid starting     Expires            Service principal
     
     After generating a ticket, you can connect to a HAWQ database as a kerberos-authenticated user using `psql` or other client programs.
     
    +### <a id="change_ticket"></a>Changing the Ticket Renewal Interval
    +
    +The lifetime of the Kerberos ticket may need to be changed. The ticket lifetime is the minimum of the following values:
    +
    +* `max_life` in `kdc.conf` on the KDC servers.
    +* `ticket_lifetime` in `krb5.conf` on the client
    +* maxlife for the user principal
    +* maxlife for the service principal in krbtgt\[REALM\]
    +* maxlife for the AFS service principal "afs/[realm_in_lower_case]"
    +* the requested lifetime in the ticket request
    +
    +**Note:** The kdc.conf file supplements krb5.conf for programs using KDC. The kdc.conf file contains defaults used when issuing Kerberos tickets, as well as KDC configuration information. 
    +
    +On starting HAWQ, the Resource Manager initializes the  kerberos ticket to expire after 12 hours. On KDC servers, this interval can be even longer. (Your specific configuration may differ from these standards, so set the ticket to renew before your system ticket lifetime.) Reset the `server_ticket_renew_interval`  to renew prior to the default value and restart the cluster to have the new value take effect.
    --- End diff --
    
    Also, call out `server_ticket_renewal_interval` as a HAWQ parameter here.


---